brickplanetfandomcom-20200213-history
7/21 XSS vulnerability
The 7/21 XSS vulnerability was a vulnerability that happened in the forums. It allowed users to use cross-site scripting to put HTML in posts. The site was taken offline, and then the vulnerability was fixed. This incident happened on July 21, 2018. A lot of users abused the bug, instead of reporting it. History A user by the name of Amorbis on July 21, 2018 started it accidentally, when he made a test post of using HTML tags to try to make a post with colored text. The test was successful, meaning that the color displayed. It was then leaked to other users, and other users tried it, leading to the abuse of the cross-site scripting vulnerability. People used other HTML tags, such as the "script" tag to make alerts. Others posted images with the "img src" tag, and others posted tags such as "marquee" to make text move. People even made posts that redirect to another URL using HTML. Some scripts even changed the layout of the website, when a user viewed the post. Then, eventually, the site was offline for "approximately 5 minutes" (according to Micheal) and then it was fixed. The vulnerability was patched, and HTML on the forums did not work anymore. It even escalated to fake virus warnings via alert scripts, that scared some people. (Alert code: ) Aftermath The bug was fixed, and Micheal, an administrator of Brick Planet, posted a forum post regarding the XSS vulnerability. Micheal told everyone that their data is safe and they are not hacked. It can be seen here. It read: Before I begin, it should be established that XSS is not a virus. It appears person(s) have discovered a client-side vulnerability in our site and rather than reporting the vulnerability, leaked it to other users (~11:30 AM CST). As a result, persons who misused the vulnerability will be moderated appropriately. However, the issue did not (and will not) affect gameplay, items, or any of your Brick Planet data. Unfortunately, our development team was not available immediately to resolve the issue, but were notified and began working to solve the issue within minutes. The site was taken offline for approximately 5 minutes to combat the issue (11:53 AM CST - 11:58 AM CST). As I stated earlier, this was a client-side vulnerability and will not affect your Brick Planet data. It has since been resolved and our developers are continually working to improve the security of our site. Our team appreciates and understands that you entrust us with your data. We are using all of our available tools to make sure it is secure. If you have any questions, comments, or concerns, you're always free to email our team, or post in the Help subforum. tl;dr Your information is fine. We were not hacked. Some users even thought their IP was logged via HTML scripts, or thought their computer was infected with a virus. The Brick Planet site was not really "hacked", it was just an XSS vulnerability. Gallery Gallery is needed. Category:Site exploits Category:Bugs